Limited Data Set Records

A limited data set is a limited set of identifiable patient information as defined in the Privacy Regulations issued under the Health Insurance Portability and Accountability Act (HIPAA). A limited data set of information may be disclosed to an outside party without a patient’s authorization if certain conditions are met. First, the purpose of the disclosure may only be for research, public health, or health care operations. Second, the person receiving the information must sign a data use agreement with CMG. This agreement has specific requirements which are shown below.

A limited data set is information from which identifiers have been removed. Specifically, as it relates to the individual or his or her relatives, employers, or household members, all the following identifiers must be removed in order for health information to be a limited data set:

  • Names
  • Street addresses (other than town, city, state, and zip code)
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical records numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate license numbers
  • Vehicle identifiers and serial numbers, including license plates
  • Device identifiers and serial numbers
  • URLs
  • IP address numbers
  • Biometric identifiers (including finger and voice prints)
  • Full-face photos (or comparable images)

The health information that may remain in the information disclosed includes:

  • Dates such as admission, discharge, service, date of birth, and date of death
  • City, state, five-digit or more zip code
  • Ages in years, months, days, or hours

Note: This information is still protected health information (PHI) under HIPAA. It is not de-identified information and is still subject to the requirements of the Privacy Regulations.

Data Use Agreements

Because a limited data set is still PHI, the Privacy Regulations protect the privacy of individuals by requiring covered entities (CMG) to enter into Data Use Agreements with recipients of limited data sets. The Data Use Agreement must meet the following standards specified in the Privacy Regulations:

  • Establish the permitted uses and disclosures of the limited data set.
  • Identify who may use or receive the information.
  • Prohibit the recipient from using or further disclosing the information, except as permitted by the agreement or as permitted by law.
  • Require the recipient to use appropriate safeguards to prevent a use or disclosure that is not permitted by the agreement.
  • Require the recipient to report to the covered entity any unauthorized use or disclosure of which it becomes aware.
  • Require the recipient to ensure that any agents (including a subcontractor) to whom it provides the information to agree to the same restrictions as provided in the agreement.
  • Prohibit the recipient from identifying the information or contacting the individuals.

The limited data set provisions also require covered entities to take reasonable steps to cure any breach by a recipient of the Data Use Agreement. If CMG determines that data provided to a recipient is being used in a manner not permitted by the agreement, it must work with the recipient to correct this problem. If these steps are unsuccessful, CMG must discontinue disclosure of PHI to the recipient under the Data Use Agreement and report the situation to the Privacy Office at 555-555-5555 or email@email.com.

Creating the Limited Data Set

A covered entity (CMG) can use one of its own workforce to create the limited data set. The Department of Health and Human Services (DHHS) indicates that a covered entity may allow a person requesting a limited data set to create it, as long as the person is acting as a business associate of the covered entity. A business associate is someone who is not part of the covered entity’s workforce but who will use the covered entity’s PHI to perform some task on behalf of the covered entity. Examples of business associates include lawyers, accountants, and firms that analyze patient data. The covered entity (CMG) must enter into a separate business associate agreement with the entity, and the agreement must meet the requirements of the Privacy Regulations. After the limited data set is created under the business associate agreement, all of the PHI, other than the PHI qualifying as the limited data set under the data use agreement, must be returned to the covered entity.

Thus, it is possible that someone at the recipient will act as the covered entity’s business associate to create the limited data set from a broader set of PHI. In such a case, the recipient must sign both the data use agreement and the business associate agreement.

Responsibility for Data Use Agreements

Following are the responsibilities of Data Use Agreements.

When CMG is the Provider of the Data

CMG has drafted a Data Use Agreement form document for use by those who wish to disclose a limited data set to recipients. This template may be accessed at HIPAA IRB Form 9. When CMG is providing the limited data set, if any material change is to be made to this template form, or if another party’s version of a Data Use Agreement is to be used, the office must review and approve the terms of the agreement. See HIPAA Policy template AB.9.1b.

When CMG is the Recipient of the Data

If a research at CMG is the recipient of a limited data set of PHI from a non-CMG office source, the office researcher will most likely be asked to sign the other party’s Data Use Agreement. In such instance, the CMG researcher is responsible for reviewing the Data Use Agreement and determining if it complies in material terms with the CMG Data Use Agreement template. If the other party’s Data Use Agreement differs materially from the CMG Data Use Agreement template, or if there is any uncertainty, the Office of Research Administration must be consulted.

Tracking and Accounting

Disclosures of a limited data set are not subject to the HIPAA tracking and accounting requirements. The marginal increase in privacy protections that such an accounting would provide is outweighed by its burdens. DHHS has taken the position that the privacy of individuals with respect to PHI disclosed in a limited data set can be adequately protected through a signed Data Use Agreement.